Appln. No. 10/045,007 

Amd. dated October 20, 2005 

Reply to Office Action of September 29, 2005 

Amendments to the Claims 

This listing of claims will replace all prior 
versions, and listings, of claims in the application: 
Listing of Claims: 

1. (Currently amended) A computer- implemented method 
for verifying software source code that includes references to 
program variables, the method comprising: 

processing the source code to derive a set of next -state 
functions representing control flow of the source code; 

replacing the references to the program variables in the 
source code with non-deterministic choices in the next-state 
functions ; 

restricting the next-state functions including the non- 
deterministic choices to produce a finite-state model of the 
control flow_^ 

wherein replacing the references to the program variables 
comprises eliminating the references to the program variables 
from the next-state functions, so that the finite-state model 
is substantially independent of data values of the program 
variables ; and 

verifying the finite-state model to find an error in the 
source code . 
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2. (Original) A method according to claim 1, 
wherein processing the source code comprises extracting a 
program counter from the source code, and expressing the next- 
state functions in terms of the program counter. 

3. (Original) A method according to claim 2, 
wherein processing the source code further comprises 
expressing the next -state functions with reference to a stack 
pointer associated with a stack used in running the code, and 
wherein replacing the program variables comprises eliminating 
substantially all the references to the program variables from 
the next-state functions, leaving the next-state functions 
dependent on the program counter and on the stack pointer. 

4. (Original) A method according to claim 3, 
wherein restricting the next -state functions comprises 
limiting the stack pointer to a value no greater than a 
predetermined maximum. 

5. (Canceled) 

6. (Original) A method according to claim 1, 
wherein processing the source code further comprises 
expressing the next-state functions with reference to a stack 
used in running the code, and wherein restricting the next- 
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state functions comprises limiting the stack to a depth no 
greater than a predetermined maximum. 

7. (Previously presented) A method according to 
claim 6, wherein expressing the next-state functions comprises 
expressing the next-state functions in terms of a stack 
pointer associated with the stack, and wherein limiting the 
stack comprises limiting the stack pointer to a value no 
greater than the predetermined maximum, and 

wherein expressing the next-state functions in terms of 
the stack pointer comprises incrementing the stack pointer in 
response to a function call in the source code, up to the 
predetermined maximum, and decrementing the stack pointer when 
the function returns. 

8. (Canceled) 

9. (Original) A method according to claim 1, 
wherein verifying the finite-state model comprises checking 
the finite-state model against a specification using a model 
checker . 

10. (Original) A method according to claim 9, 
wherein restricting the next-state functions comprises 
automatically producing the model from the source code in a 
form suitable for processing by the model checker, 
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substantially without human intervention in deriving and 
restricting the next -state functions or in replacing the 
references . 

11. (Original) A method according to claim 9, 
wherein checking the finite state model comprises checking the 
model against one or more formulas expressed in terms of 
temporal logic . 

12. (Original) A method according to claim 9, 
wherein checking the finite state model comprises finding a 
counter-example indicative of the error. 

13. (Currently amended) Apparatus for verifying 
software source code that includes references to program 
variables, the apparatus comprising a program analyzer, which 
is arranged to process the source code so as to derive a set 
of next-state functions representing control flow of the 
source code and to replace the references to the program 
variables in the source code with non-deterministic choices in 
the next-state functions, and further to restrict the next- 
state functions including the non-deterministic choices to 
produce a finite-state model of the control flow, which can be 
checked by a model checker to find an error in the source 
code , wherein the program analyzer is arranged to remove the 
references to the program variables from the next-state 
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functions , so that the finite-state model is substantially 
independent of data values of the program variables . 

14. (Original) Apparatus according to claim 13, 
wherein the program analyzer is arranged to extract a program 
counter from the source code, and to express the next -state 
functions in terms of the program counter. 

15. (Original) Apparatus according to claim 14, 
wherein the program analyzer is further arranged to express 
the next-state functions with reference to a stack pointer 
associated with a stack used in running the code, and to 
eliminate substantially all the references to the program 
variables from the next-state functions, leaving the next- 
state functions dependent on the program counter and on the 
stack pointer. 

16. (Original) Apparatus according to claim 15, 
wherein the program analyzer is arranged to limit the stack 
pointer to a value no greater than a predetermined maximum. 

17 . (Canceled) 

18. (Previously presented) Apparatus according to 
claim 13, wherein the program analyzer is arranged to express 
the next -state functions with reference to a stack used in 
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running the code, which is limited to a depth no greater than 
a predetermined maximum, and 

wherein the next -state functions are expressed in terms 
of a stack pointer associated with the stack, and wherein the 
stack pointer is limited to a value no greater than the 
predetermined maximum. 

19. (Canceled) 

20. (Currently amended) Apparatus according to 
claim — 1-9- claim 18 , wherein in the next-state functions, the 
stack pointer is incremented in response to a function call in 
the source code, up to the predetermined maximum, and is 
decremented when the function returns. 

21. (Original) Apparatus according to claim 13, and 
comprising a model checker, which is arranged to check the 
finite-state model against a specification. 

22. (Original) Apparatus according to claim 21, 
wherein the program analyzer is arranged to automatically 
produce the model from the source code in a form suitable for 
processing by the model checker, substantially without human 
intervention in deriving and restricting the next-state 
functions or in replacing the references. 
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23. (Original) Apparatus according to claim 21, 
wherein the model checker is arranged to check the model 
against one or more formulas expressed in terms of temporal 
logic . 

24. (Original) Apparatus according to claim 21, 
wherein the model checker is arranged to find a counter- 
example indicative of the error. 

25. (Currently amended) A computer software product 
for verifying source code that includes references to program 
variables, the product comprising a computer-readable medium 
in which program instructions are stored, which instructions, 
when read by the computer, cause the computer to process the 
source code so as to derive a set of next -state functions 
representing control flow of the source code and to replace 
the references to the program variables in the source code 
with non-deterministic choices in the next-state functions, 
and further cause the computer to restrict the next-state 
functions including the non-deterministic choices to produce a 
finite-state model of the control flow, which can be checked 
by a model checker to find an error in the source code^ 
wherein the instructions cause the computer to remove the 
references to the program variables from the next-state 
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functions, so that the finite-state model is substantially 
independent of data values of the program variables . 

26. (Original) A product according to claim 25, 
wherein the instructions cause the computer to extract a 
program counter from the source code, and to express the next- 
state functions in terms of the program counter. 

27. (Original) A product according to claim 26, 
wherein the instructions cause the computer to express the 
next-state functions with reference to a stack pointer 
associated with a stack used in running the code, and to 
eliminate substantially all the references to the program 
variables from the next-state functions, leaving the next- 
state functions dependent on the program counter and on the 
stack pointer. 

28. (Original) A product according to claim 27, 
wherein the instructions cause the computer to limit the stack 
pointer to a value no greater than a predetermined maximum. 

29 . (Canceled) 

30. (Original) A product according to claim 25, 
wherein the instructions cause the computer to express the 
next-state functions with reference to a stack used in running 
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the code, which is limited to a depth no greater than a 
predetermined maximum. 

31. (Previously presented) A product according to 
claim 30, wherein the next-state functions are expressed in 
terms of a stack pointer associated with the stack, and 
wherein the stack pointer is limited to a value no greater 
than the predetermined maximum, and 

wherein the next -state functions are expressed in terms 
of a stack pointer associated with the stack, and wherein the 
stack pointer is limited to a value no greater than the 
predetermined maximum. 

32. (Canceled) 

33. (Original) A product according to claim 25, 
wherein the instructions further cause the computer to check 
the finite-state model against a specification. 

34. (Original) A product according to claim 33, 
wherein the instructions cause the computer to automatically 
produce the model from the source code in a form suitable for 
checking against the specification, substantially without 
human intervention in deriving and restricting the next -state 
functions or in replacing the references. 
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35. (Original) A product according to claim 33, 
wherein the instructions cause the computer to check the model 
against one or more formulas expressed in terms of temporal 
logic . 

36. (Original) A product according to claim 33, 
wherein the instructions cause the computer to find a counter- 
example indicative of the error. 
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